SNMP,NetFlow,Syslog

This document is a study note on IP services in ICND2 and everything in this document are
strictly within the study guides. A few extra topics discussed only for the clarity of the
subject. I have tried my best to be very clear on the topics discussed. I believe this study
note will help you a lot in your studies for ICND2 exam.

CHAPTER 1
SNMP
What is SNMP?
Simple Network Management Protocol (SNMP) is an applicationlayer protocol defined by
the Internet Architecture Board (IAB) for exchanging management information between
network devices. It is a part of Transmission Control ProtocolInternet Protocol (TCPIP)
protocol suite. Devices that typically support SNMP include routers, switches, servers,
workstations, printers, modem racks.

In typical SNMP uses, one or more administrative computers, called managers, have the
task of monitoring or managing a group of hosts or devices on a computer network. Each
managed system executes, at all times, a software component called an agent which
reports information via SNMP to the manager. SNMP communicates management
information between the network management stations and the agents in the network
elements.
Some examples of the type of information that can be retrieved through snmp are :
System up time
CPU usage level
Disk usage level
Network settings etc.
Not only information can be retrieved but also these network devices can be configured
with new values through snmp.

SNMP basic components and their functionalities

An SNMP has following five key components:
SNMP Agent software which runs on managed devices
Network management station (NMS) software which runs on the manager(eg. Cisco
prime)
Management Information Base(MIB)----a database
SNMP Messages

SNMP Communities

SNMP Agent:
The agent is a program that is packaged within the managed devices. Enabling the agent
allows it to collect the management information database from the device locally and
makes it available to the SNMP manager, when it is queried for. These agents could be
standard (e.g. Net-SNMP) or specific to a vendor (e.g. HP insight agent). In cisco routers
and switches it is not required to install any agent software.
SNMP agents key functions
Collects management information about its local environment
Stores and retrieves management information as defined in the MIB.
Signals an event to the manager.
Acts as a proxy for some nonSNMP manageable network node.
Replies to the NMS query
change the MIB variable when requested by NMS

Network management Station (NMS)

A NMS is one that executes network management applications like Cisco Prime that
monitor and control the agent. The key functions of NMS are
Queries agents
Gets responses from agents
Sets variables in agents
Acknowledges asynchronous events from agents
Note: NMS and SNMP manager are interchangeably used to refer applications like Cisco
Prime.

Management Information database or

Management Information Base (MIB)
Every SNMP agent maintains an information database describing the managed device
parameters. The SNMP manager uses this database to request the agent for specific
information and further translates the information as needed for the Network Management
System (NMS). This commonly shared database between the Agent and the Manager is
called Management Information Base (MIB).The database is hierarchical (tree-structured)
and each entry is addressed through an object identifier(OID). Each OID identifies a
variable that can be read or set via SNMP. Typically these MIB contains standard set of
statistical and control values defined for hardware nodes on a network. SNMP also allows
the extension of these standard values with values specific to a particular agent through
the use of private MIBs.

Object Identifier (OID)

The very basic component of the structure used in case of SNMP is an object. Every
information that can be queried through SNMP is viewed in terms of an object. For
example the a systems up time is an object known as sysUpTime. Every object has an
associated ID known as Object ID or OID which is unique for every object. A group of
objects form a MIB.
Every Object ID is organized hierarchically in MIB. The MIB hierarchy can be represented
in a tree structure with individual variable identifier. A typical object ID will be a dotted list of
integers. For example, the OID in RFC1213 for "sysDescr" is .1.3.6.1.2.1.1.1. RFCs define
some common public variables, but most organizations define their own private branches
along with basic SNMP standards. Networking equipment vendors like Cisco can define
their own private branches of the tree to accommodate new variables specific to their own
devices.
Let us take a look at cisco's OID.
1.3.6.1.4.1.9.1.13
1 ---->iso
3----->org
6---->dod
1---->internet
4----->private
1---->enterprise
9---->cisco
1---->ciscoproducts
13--->cisco2500
Each integer in OID is a node in the hierarchical tree of OID which can have many
branches. For example, 9 is cisco which is a node in the tree and can have many
branches. last integeter 13 in the above example dont have any branches.

Every object in MIB is MIB variable which is denoted by OID. MIB variable and OID are
interchangeably used. The MIB variables contain pertinent management information like
interface up/down, 90% cpu used, etc.

SNMP Messages
GET: This message is a request sent by the manager to the managed device. It is
performed to retrieve one or more values from the managed device.
GET-NEXT: This message is similar to the GET. The significant difference is that the GET
NEXT operation retrieves the value of the next OID in the MIB tree.
GET-BULK: This message initiated by manager to retrieve voluminous data from large
MIB table. It is supported only in snmpv2, v3.
SET: This message is used by the managers to modify or assign the value of the
Managed device.
TRAPS: Unlike the above messages which are initiated from the SNMP Manager, TRAPS
are initiated by the Agents. It is a signal to the SNMP Manager by the Agent on the
occurrence of an event.
INFORM: This message is send by manager to agent to acknowledge the TRAP message
received from agent since they use UDP and it is introduced in SNMPv2.
RESPONSE: It is the reply message of agent to GET, GET NEXT, GET BULK, SET
messages initiated by SNMP Manager.

SNMP Communities
An SNMP community is the group that devices and management stations running SNMP
belong to. It helps define where information is sent. The community name is used to
identify the group. A SNMP device or agent may belong to more than one SNMP
community. It will not respond to requests from management stations that do not belong to
one of its communities. To enable successful communication between an SNMP agent and
an SNMP manager, you must configure at least one community name in SNMP. A
community name acts as a password that is shared, typically, by multiple SNMP agents
and one or more SNMP managers. An SNMP agent only accepts requests from SNMP
managers that are on the agents list of acceptable community names.
SNMP community strings authenticate access to MIB objects and function as embedded
passwords. In order for the NMS to access the agent, the community string definitions on
the NMS must match at least one of the three community string definitions on the agent.
A community string can have one of these attributes:

Read-onlyGives read access to authorized management stations to all objects in

the MIB except the community strings, but does not allow write access

Read-writeGives read and write access to authorized management stations to all

objects in the MIB, but does not allow access to the community strings

Read-write-allGives read and write access to authorized management stations to

all objects in the MIB, including the community strings

Versions in SNMP
SNMPv1 supports plaintext authentication with community strings and uses only UDP. The
UDP port 161 is used by default and TRAP/INFORM uses port 162.
SNMPv2 revises version 1 and includes improvements in the areas of performance,
confidentiality, and manager-to-manager communications. It also supports plaintext
authentication. It offers more detailed error message reporting method, but it is not more
secure than v1. It uses UDP even though it can be configured to use TCP.
SNMPv3 primarily added security and remote configuration enhancements to SNMP.
Although SNMPv3 makes no changes to the protocol aside from the addition of
cryptographic security, it looks much different due to new textual conventions, concepts,
and terminology. SNMPv3 uses cryptography in 3 areas.
1.data integrity(md5 or sha1)
2.authentication(md5 or sha1)
3.privacy(DES,3DES,AES)
Model

Level

Authentication

Encryption

V1

NoAuthNopriv

Community string

None

V2c

NoAuthNoPriv

Community string

None

V2u

NoAuthNoPriv

Username

None

V3

NoAuthNoPriv

Username

None

V3

AuthNoPriv

MD5 or SHA

None

V3

AuthPriv

MD5 or SHA

DES,3DES,AES

Auth stands for Authentication and Priv stands for Privacy.

Authentication provides data integrity by MD5 or SHA1 hashing and data origin
authentication.
privacy provides protection against disclosure of message by encryption like
DES,3DES,AES.
Note: though snmpv1,v2 authenticates by community string or username it still denoted by
NoAuth because it doesnt use hashing.
You may read the following link to get a fundamental understanding of security for CCNA
https://learningnetwork.cisco.com/docs/DOC-25770
SNMPv3 can use both UDP and TCP.

How SNMP works?

The NMS periodically queries or polls the SNMP agent on a device to gather and analyse
statistics via GET messages. This periodic query on Agent by NMS is called polling. The
agent replies to this GET messages via RESPONSE messages. Most commonly, a
network administrator gathers and stores statistics over time using Network Management
Station software. Important to these administrators is to analyze various statistical facts
such as averages, minimums, and maximums. These statistics can be viewed as a graph.
For example, in routers you can monitor network traffic but do not be confused with
netflow. SNMP might give the statistics like 15 GB of OUT traffic but cannot give details of
who is accessing network and which application is using the network most. Netflow can
provide you more indepth analysis of network usages.

An SNMP agent can also send unsolicited MIB information to the SNMP manager in
response to an event that has been defined as an SNMP trap (unexpected event). NMS
software might alert the engineer by various alert mechanisms like change in color code,
alarms, sending SMS or Email alert to the engineer. To be proactive, the software can also
be configured to alert engineer when a service or health check counter on a device
exceeds or goes below a certain limit. For example, it can be configured to alert when CPU
usage exceeds 80% or CPU temperature exceeds certain limit. Some traps are enabled
default and others have to be configured if you wish. We can configure to alert a trap for
syslog notifications.
Devices send trap messages with no acknowledgement that the NMS received the
message; using protocol terminology, these messages are considered unreliable. A later
version of the SNMP protocols (Version 3) supports an alternative process with inform
messages, which use an acknowledgement process, so they are called reliable.
When a trap is received from the agent. The administrator can troubleshoot the devices by
initiating GET, GET-NEXT, GET-BULK, SET. You can even reconfigure the device through
these SNMP variables in the MIB via SET messages if you permit this level of control. For
example, you can replace running/startup configuration , reboot the router and so on can
be done by SET message only if read write is configured in community.
When an SNMP manager sends a query or set request to the SNMP agent, the SNMP
service compares the community name of the requestor with the community name of the
agent and its access permissions. If the names match, the SNMP manager is successfully
authenticated, and the agent replies to the query or performs the set request. If the
community names do not match, the SNMP agent considers the request a failed access
attempt and if configured to do so can send an SNMP trap message notifying the trap
destination that an improper access has been attempted.

SNMPv2 Configuration
Just three steps to configure SNMP in cisco device.
1.configure communities.(required)
2.configure SNMP contact information.(optional)
3.configure SNMP location.(optional)
A community has following sub parameters.
1.string(required)
2.access mode:ro/rw(optional, ro is default)
3.ACL name or number(optional)
It is better to specify ro/rw based on your requirement, for some IOS ro is default and for
some rw is default. This I write based on my expereince in lab. for CCNA , we study only
this 3 sub parameters, actually there are more.
example configuration
Router#conf t

Router(config)#snmp-server community ninja ro

Router(config)#snmp-server contact Dial System Operator at beeper 21555
Router(config)#snmp-server location Building 3/Room 222
Router(config)#end
Router#copy run start
snmp-server community string[ro | rw] acl-name or number
For string, specify a string that acts like a password and permits access to the SNMP
protocol. You can configure one or more community strings of any length.
Specify either read-only (ro) if you want authorized management stations to retrieve MIB
objects, or specify read-write (rw) if you want authorized management stations to retrieve
and modify MIB objects. (Optional)
Specify the access-list name or number to permit only NMS software to access the agent.
(optional)
snmp-server location command specifies where the agent is located.
snmp-server contact command specifies whom NMS should contact for the agent.
Cisco devices calls agent application as snmp-server.(this is my own observation)
Another example for read write option
R2(config)# ip access-list standard ACL_PROTECTSNMP
R2(config-std-nacl)# permit host 10.20.20.201
R2(config-std-nacl)# exit
R2(config)# snmp-server community T3nn1sB@ll RW ACL_PROTECTSNMP
R2(config)# snmp-server location New York
R2(config)# snmp-server contact John Sequeira
R2(config)# end
R2#copy run start

Obtaining a MIB Value with SNMPGET in NMS

[13:22][cisco@NMS~ ]$ snmpget -v2c -c community 10.250.250.14
1.3.6.1.4.1.9.2.1.58.0
SNMPv2-SMI::enterprises.9.2.1.58.0 = INTEGER: 11
The bold text shows a rather long command with several parameters, as follows:
-v2c: The version on SNMP in use
-c community: The SNMP password, called a community sting
10.250.250.14: The IP address of the monitored device

1.3.6.1.4.1.9.2.1.58.0: The numeric object identifier (OID) of the MIB variable

Note:This snmpget command is run in NMS not in agent.

CHAPTER 2
NETFLOW
What is NetFlow?
NetFlow is a feature that was introduced on Cisco routers that provides the ability to collect
IP network traffic as it enters or exits an interface. NetFlow data is generated by network
devices like routers and firewalls. Flow data will generally contain details like source and
destination IP addresses, port numbers, protocols, and more. By analyzing the data
provided by NetFlow a network administrator can determine things such as the source and
destination of traffic, class of service, and the causes of congestion. The term NetFlow is
proprietary to Cisco, but other vendors have their own versions of Flow. For instance,
Juniper calls it J-Flow, and several vendors, including HP and Fortinet, use s-Flow.
Cisco routers/switching devices export NetFlow as UDP packets. Netflow v5 is the most
popular Netflow format, but it is not compatible with IPv6. Because of this, Netflow v5 is
slowly being replaced by Netflow v9, which supports IPv6. In addition, the IETF is working
on a new version of Netflow called IPFIX (sometimes referred to as Netflow v10). NetFlow
version 9 is the latest Cisco IOS NetFlow innovation.
When Cisco sought out to create NetFlow, they recognized two key criteria in its creation:

NetFlow should be completely transparent to the applications and devices in the

network.
NetFlow should not have to be supported and running on all devices in the network
to function.

Achieving these design criteria ensured that NetFlow is very easy to implement in the most
complex of existing networks.
The analogy for NetFlow is a detailed phone bill. These phone records provide call-by-call
and aggregated statistics that enable the administrator (the person paying the bill) to track
long calls, frequent calls, or even calls that should not have been made at all. Netflow does
the similar thing it gives details of bandwidth usage.

Components of Netflow
A typical flow monitoring setup (using NetFlow) consists of three main components:
Flow exporter: aggregates packets into flows and exports flow records towards one or
more flow collectors.
Flow collector: responsible for reception, storage and pre-processing of flow data received
from a flow exporter.
Analysis application: analyzes received flow data in the context of intrusion detection or
traffic profiling, for example.

Here, Netflow is enabled in netflow exporter(router in the image). The Exporter monitors
packets entering an Observation Point and creates Flows from these packets. The
information from these Flows is exported in the form of Flow Records to the NetFlow
Collector. The analysing software would analysis the flow storage in netflow collector and
then make reports or graphs that are readable to network administrator.

What is an IP Flow?
An IP Flow, also called a Flow, is defined as a set of IP packets passing an Observation
Point in the network during a certain time interval. All packets that belong to a particular
Flow have a set of common properties derived from the data contained in the packet and
from the packet treatment at the Observation Point.
Each packet that is forwarded within a router or switch is examined for a set of IP packet
attributes. These attributes are the IP packet identity or fingerprint of the packet and
determine if the packet is unique or similar to other packets.

Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.

IP Packet attributes used by NetFlow:
IP source address
IP destination address
Source port
Destination port
Layer 3 protocol type
Class of Service
Router or switch interface
All packets with the same source/destination IP address, source/destination ports, protocol
interface and class of service are grouped into a flow and then packets and bytes are
tallied.
This flow information is extremely useful for understanding network behavior
Source address allows the understanding of who is originating the traffic
Destination address tells who is receiving the traffic
Ports characterize the application utilizing the traffic
Class of service examines the priority of the traffic
The device interface tells how traffic is being utilized by the network device
Tallied packets and bytes show the amount of traffic

One ip flow will be created for all packets that match all 7 parameters and will be stored in
router like flow 1, flow 2, flow 3 ,.......

What is NetFlow Record?

A Flow Record provides information about an IP Flow observed at an Observation Point.
The Flow Data Records are also referred to as NetFlow services data and NetFlow data in
some documents.
A NetFlow record can contain a wide variety of information about the traffic in a given flow.

NetFlow version 5 (one of the most commonly used versions, followed by version 9)
contains the following:

Input interface index used by SNMP

Output interface index
Timestamps for flow start and finish
Number of bytes and packets in flow
Layer 3 headers
TCP flags
Layer 3 routing information

NetFlow Version 9 includes these fields and more, including Multiprotocol Label Switching
(MPLS) labels and IPv6 addresses and ports.
After observing IP packets in an interface it will form IP flows . When time expires(or flow
expires or cache is full) it will create NetFlow records out of IP flows and the router will
send this NetFlow record to the collector.

We will study more on this in higher certificate exams.

Purposes of Netflow
While the potential uses of the statistics that NetFlow provides is quite vast, most
organizations use NetFlow for some or all of the following key purposes:
General network traffic accounting for baseline analysis
Usage-based network billing for consumers of network services
Network design, including redesigns to include new network devices and
applications to meet the needs of growing infrastructures
General network security design
Denial of service (DoS) and distributed DoS (DDoS) detection and prevention data
Ongoing network monitoring
Validate network QoS policies
Network traffic accounting
NetFlow data provides fine-grained metering (e.g. flow data includes details such as IP
addresses, packet and byte counts, timestamps, type-of-service and application ports,

etc.) for highly flexible and detailed resource utilization accounting. Service providers may
utilize this information to migrate away from single fee, flat rate billing to more flexible
charging mechanisms based on time-of-day, bandwidth usage, application usage, quality
of service, etc. Enterprise customers may utilize the information for departmental
chargeback or cost allocation for resource utilization.
Usage-based network billing
You can cross-check ISP charges with your own billing system available with the Billing
add-on. You can also associate bandwidth costs to each department in your organization
to help you plan well with allocated bandwidth budgets. The Billing add-on over the
NetFlow plug-in helps you to account your bandwidth by assigning costs to usage (volumebased) or bandwidth (speed-based).
Network design
NetFlow data provides key information to optimize both strategic network planning (e.g.
who to peer with, backbone upgrade planning, routing policy planning) as well as tactical
network engineering decisions (e.g. adding additional VIPs to routers, upgrading link
capacity) minimizing the total cost of network operations while maximizing network
performance, capacity and reliability.
General network security design
Every enterprise have their own model for network design. Normal tools for security are
firewalls, ACL, IPS, VPN, password authentication, antivirus, anitmalware etc..Most
enterprise follow layered approach for security design using these tools. NetFlow aids in
these designs by monitoring the bandwidth.
(one scenario)
A Network Engineer observes anomalous peaks in network load at the start of business
day. He views the traffic report and observes spikes in the traffic pattern. He suspects a
possible worm attack that has been known to be affecting computer networks elsewhere.
To confirm his suspicion he views the Troubleshoot report in the NetFlow Analyzer. He
finds unusually high traffic on port UDP 1434, which is characteristic of a SQL Slammer
Virus attack. Now, he can drill down to see the IP addresses from which this attack is
originating and also the list of IP addresses that are infected. He can now block the source
of this attack and then proceed to apply the appropriate patch on the infected Ips. NetFlow
Analyzer helps network managers to quickly identify the cause of attacks and take
immediate corrective action to contain any possible damage.
DoS, DDoS
A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to
make a machine or network resource unavailable to its intended users. One common
method of attack involves saturating the target machine with external communications
requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as
to be rendered essentially unavailable. In case of Denial-of-Service (DoS) attacks, the
NetFlow analyzer facilitates quick problem isolation and resolution to bring down your
Mean Time To Resolve.

Ongoing bandwidth monitoring

Administrators are often left to deal with bandwidth problems. Troubleshooting a spike or
narrowing down on what is choking the bandwidth is an everyday task. Unfortunately
SNMP cannot give you these insights!
Ciscos NetFlow gives you the right insight you need on your bandwidth. The Flows are
typically exported from the Cisco Devices to the NetFlow collector where the collected
Flows are stored in the database for further analysis. When analyzing a high bandwidth
usage, the questions to reckon with are;
Who is using the most traffic(Top talker) and using excessive bandwidth?
Which application (ports and protocols) are eating up most bandwidth?
Is it a legitimate business traffic?
Who is the top listener?
Which websites are routinely visited?
Which is the most downloaded content?
Is it time for a bandwidth upgrade?

Validate network QoS policies

The NetFLow helps you qualify the QoS policies set on the router and ensure that the right
type of traffic gets priority in the network.[QoS(Quality of Service) is the idea that
transmission rates, error rates, and other characteristics can be measured, improved, and,
to some extent, guaranteed in advance.]

How to Access the Data Produced by NetFlow?

There are two primary methods to access NetFlow data: the Command Line Interface (CLI)
with show commands or utilizing an application reporting tool. If you are interested in an
immediate view of what is happening in your network, the CLI can be used. NetFlow CLI is

very useful for troubleshooting.

The other choice is to export NetFlow to a reporting server or what is called the "NetFlow
collector". The NetFlow collector has the job of assembling and understanding the
exported flows and combining or aggregating them to produce the valuable reports used
for traffic and security analysis. NetFlow export, unlike SNMP polling, pushes information
periodically to the NetFlow reporting collector.

Configuring NetFlow v9
These four factors must be completed to properly implement NetFlow on a router:
1.Configure NetFlow data capture by configuring ingress(incoming) and egress (outgoing)
packets on an interface.
2.Configure NetFlow data export by specifying the IP address of the NetFlow collector and
the UDP port the collector listens for in global configuration mode.
3.Configure NetFlow data export version by specifying the version of NetFlow in global
configuration mode.
4.Configure NetFlow data source interface by specifying a logical interface of the device in
global configuration mode.
Here is an example of confuring Netflow in a router
Router(config)#int fa0/0
Router(config-if)#ip flow ingress
Router(config-if)#ip flow egress
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.10.100 9996
Router(config)#ip flow-export version 9
Router(config)#ip flow-export source loopback 0
Note here that ip flow-export global command has 3 alternative parameters
Router(config)#ip flow-export ?
destination
source
version

Specify the Destination IP address

Specify the interface for source address
Specify the version number

Another thing to notice here is that source address is not the interface being monitored. It
is a logical interface like loopback 0 is used for this purpose.

Verification of ip flow
you can check the local NetFlow cache on a router directly, proving that the router is at
least collecting the data with the show ip cache flow command.
R1# show ip cache flow

IP packet size distribution (255 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
1 active, 65535 inactive, 1 added
32 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 533256 bytes
1 active, 16383 inactive, 1 added, 1 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol
Total
Flows Packets
Bytes Packets Active(Sec) Idle(Sec)
-------Flows
Sec
Flow
/Pkt
Sec
Flow
/Flow
TCP-Telnet 14
0.0
19
58
0.1
6.5
11.7
TCP-WWW
8
0.0
9
108
0.1
2.5
1.7
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0 10.10.1.1
S0/0/0 10.10.2.2
01 044
0050 255

you can see that 255 packets have been monitored by NetFlow. The bottom lines show
that the router is collecting flow for telnet and HTTP. You can see the source port and
destination in hex 44(68 in decimal) and 50(80 in decimal). You can also see source ip
address and destination IP address. It's important to remember that show ip cache flow
command provides a summary of NetFlow statistics, including which protocols are in use.
you can use the command show ip flow interface to verify that you have NetFlow
configured on the correct interfaces in the correct directions.
R1# show ip flow interface
FastEthernet0/0
ip flow ingress
ip flow egress

Then, to check the configuration of your export parameters, you can use the command
show ip flow export.
R1# show ip flow export
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.1.1 (Loopback0)
Destination(1) 10.1.10.100 (99)
Version 9 flow records
0 flows exported in 0 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation fail ures
0 export packets were dropped due to encapsulation fixup failures

CHAPTER 3
SYSLOG
Overview
It is amazing just how helpful Cisco devices try to be to their administrators.When major
(and even not-so-major) events take place, these Cisco devices attempt to notify
administrators with detailed system messages. As you learn in this section, these
messages vary from the very mundane to those that are incredibly important.Cisco devices
use a protocol called syslog which permits your various Cisco devices (and some other
non-Cisco devices) to send their system messages across the network to syslog servers.
You should note that you can even build a special out-of-band (OOB) network(use of a
dedicated channel for managing network devices ) for this purpose. There are many
different Syslog server software packages for Windows and UNIX. Many of them are even
freeware. For eg. Kiwi syslog server.

What is syslog?
Syslog is a standardized mechanism for logging in computer systems. In computing, a log
file is a file that records either the events which happen while an operating systems or
other software runs, or the personal messages between different users of a communication
software. The act of keeping a log is called logging. In the simplest case, log messages are
written to a single log file. Syslog is supported by a wide variety of devices (like printers
and routers) and receivers across multiple platforms. Because of this, syslog can be used
to integrate log data from many different types of systems into a central repository.
Syslog is a client/server protocol. A logging application transmits a text message to the
syslog receiver. The receiver is commonly called syslogd, syslog daemon or syslog server.
Syslog messages may be sent via the UDP or TCP. The data is sent in clear text.

Features of syslog server

Syslog servers log the messages and usually provide an easy means to display and sort
the messages , all of which makes it a really great troubleshooting tool.
Administrators can easily use the wealth of information presented in system messages.
They can search for messages with certain keywords or severity levels. The search feature
is especially powerful because you can use keywords and even severity levels.

The server can email of text alerts to admins based on severity level of the message.
Administrators can also use syslog server software to delete all of those system messages
from the database that are not important.

How to access syslog message in cisco devices?

Popular destinations for syslog messages include the following:
The logging buffer (RAM inside the router or switch)
The console line
The terminal lines
A syslog server

What are severity levels in syslog?

RFC 5452 defines eight levels of severity.
Code Severity
Description
0

Emergency

System is unstable

Alert

Immediate action is required

Critical

Critical condition, immediate action is required.

Error

Non-urgent failures, must be resolved in given time.

Warning

Warning messages, not an error, but indication that an error will

occur if action is not taken -must be resolved in a given time

5

Notification

Normal but significant condition. - no immediate action required.

Informational Normal operational messages - no action required.

Debugging

Debugging messages-useful info to engineers for debugging

application , not useful during operations.

Notice that levels 0 through 4 are for events that could seriously impact the device,
whereas levels 5 through 7 are for less important events. Obviously, an administrator can
consider this when deciding how to handle messages. For instance, the administrator
could choose to send only warning level (4) messages and lower (more severe) to the
syslog server, instead of cluttering the syslog server with messages for all eight levels.
I have made a mnemonics for this severity levels , EA CrEW have No ID yet.( Letters in
caps are severity levels.) A common mnemonic used to remember the syslog levels from
bottom to top is: "Do I Notice When Evenings Come Around Early".
When i practised multiple choice question from todd lammle book, i made mistakes even
after making mnemonic. Severity level starts with code 0 not 1. i started counting from 1
but it starts from zero.

What is the format of syslog messages in cisco devices?

Lets examine one of the messages from our Cisco router to examine the default message
format:

*Mar 1 00:02:17.979: %LINEPROTO-5-UPDOWN: Line protocol on Interface

FastEthernet0/0, changed state to up
Notice that by default on this particular device, we see the following:
A timestamp: *Mar 1 00:02:17.979
The facility on the router that generated the message: %LINEPROTO
The severity level: 5
A mnemonic for the message: UPDOWN
The description of the message: Line protocol on Interface FastEthernet0/0, changed state
to up
You have now seen the default system message format on a particular Cisco router, but
you should know that you can control the format of your messages. For example, we can
turn off timestamps and turn on sequence numbers as shown below.
R1(config)# no service timestamps
R1(config)# service sequence-numbers
R1(config)# end
R1#
000011: %SYS-5-CONFIG_I: Configured from console by console
The message format now features the following:
Sequence number: 000011
Facility: %SYS
Severity level: 5
Mnemonic: Config_I
Description: Configured from console by console
To enable time stamps again use service timestamps log datetime msec global command.
Let us consider the ouput cut of show running-config command.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
when we run show running-config from any cisco device, it will show the above section in
it. If you forget the command to enable timestamp, just run show running-config.
service timestamps debug datetime msec command will enable timestamp in debug
message(by default it is on).
service timestamps log datetime msec command will enable timestamp in syslog
messages(by default it is on).
service password-encryption command will encrypt all clear text password when displayed
in running-config. (by default it is off).

Configuring and verifying SYSLOG

By default, Cisco routers and switches send log messages for all severity levels to the
console. On some IOS versions, the device also buffers those log messages by default. To
enable these two settings, the configuration would use the logging console and logging
buffered global configuration commands, respectively. To disable either of these logging
services, just use the no version of either command: no logging console or no logging
buffered.You have to use terminal monitor global command to send log messages in
terminal lines(telnet, ssh).
The show logging command lets us examine the logging service settings on a Cisco router,
as shown in below. The first lines of output list information about the logging process, with
the end of the output listing log messages.
R1# show logging
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited,0 flushes, 0 overruns, xml disabled,
filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 10 messages logged, xml disabled, filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled
Buffer logging: level debugging, 10 messages logged, xml disabled,filtering disabled
Logging Exception size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 13 message lines logged
Log Buffer (8192 bytes):
*Dec 18 17:10:14.079: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to down
*Dec 18 17:10:15.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
...

Focus on the first two highlighted lines, which tell us something about the logging service.
The first line states that this router logs to the console and will include debug messages,
actually meaning debug level messages and all lower levels. The output also notes that ten
such messages have been logged.
The second highlighted line states that this router logs to an internal buffer. Because this
router has enabled logging to an internal buffer, the show logging command also lists the
messages in that buffer. You can see some of the system messages that have been
logged at the end of the example.
Configuring the router to send system messages to a syslog server where they can be
stored, filtered, and analyzed is a simple task:
Step 1. First, configure the destination hostname or IP address of the syslog server:
R1(config)# logging 192.168.1.101
Step 2. Next, you can control which messages are sent there. For example, to limit the
messages for levels 4 and lower (0 through 4), use the following command:

R1(config)# logging trap 4

Note
Notice that by specifying the highest level (least severe), this includes the levels below
(more severe). Also, this command can also accept the name of the level, so you could
use logging trap warning.

This document only tries to explain what is written in ccna study guides.I didnt discuss any
advanced topic on SNMP, NetFlow,syslog. Hope this will help in your studies.
Vipin viswanathan